Why Multiple Factors?
Authentication factors fall into three categories: something you know (password, PIN), something you have (phone, hardware key), and something you are (fingerprint, face). Combining factors from different categories means an attacker needs to compromise multiple independent systems to get in. Stealing your password from a breach does not help if they also need your physical phone.
SMS One-Time Passwords
WeakConvenient but vulnerable to SIM-swapping attacks and real-time phishing. SMS OTPs are much better than nothing, but should not be the top choice when better options are available.
TOTP Authenticator Apps
ModerateGoogle Authenticator, Authy, Microsoft Authenticator, and 1Password generate time-based OTPs using RFC 6238. Codes rotate every 30 seconds. Not phishing-resistant — a real-time phish can capture and replay a TOTP — but eliminates SIM-swap risk and is a solid choice for most applications.
Push Authentication
ModerateApps like Duo push a notification to the user's phone. Modern implementations use number matching (show the user a code they must verify matches) to defeat automated attacks. Vulnerable to push fatigue if not rate-limited.
Hardware Security Keys
StrongYubiKey and similar FIDO2 hardware tokens are phishing-resistant — the credential is bound to the specific domain. Physical possession required. The gold standard for securing high-value accounts and privileged access.
Passkeys
StrongestPasskeys combine the phishing resistance of hardware keys with the convenience of biometrics, synchronized across devices. They are effectively MFA in a single gesture: the device (something you have) plus biometric or PIN (something you are or know). The recommended default for new systems.